Replace network exception script with public access enabling script i…

…n deployment process
microsoft · Feb 21, 2025 · 5dc89a4 · 5dc89a4
1 parent 528f73e
commit 5dc89a4
Show file tree

Hide file tree

Showing 14 changed files with 140 additions and 195 deletions.
diff --git a/core/terraform/migrate.sh b/core/terraform/migrate.sh
@@ -6,7 +6,7 @@ set -o nounset
 # set -o xtrace
 
 # shellcheck disable=SC1091
-source ../../devops/scripts/mgmtstorage_add_network_exception.sh
+source ../../devops/scripts/mgmtstorage_enable_public_access.sh
 
 get_resource_id() {
   local json_data="$1"

diff --git a/core/terraform/outputs.sh b/core/terraform/outputs.sh
@@ -2,7 +2,7 @@
 set -e
 
 # shellcheck disable=SC1091
-source ../../devops/scripts/mgmtstorage_add_network_exception.sh
+source ../../devops/scripts/mgmtstorage_enable_public_access.sh
 
 if [ ! -f ../tre_output.json ] || [ ! -s ../tre_output.json ]; then
   # Connect to the remote backend of Terraform

diff --git a/devops/scripts/mgmtstorage_add_network_exception.sh b/devops/scripts/mgmtstorage_add_network_exception.sh
diff --git a/devops/scripts/mgmtstorage_enable_public_access.sh b/devops/scripts/mgmtstorage_enable_public_access.sh
@@ -0,0 +1,130 @@
+#!/bin/bash
+
+#
+# Add an exception to the TRE management storage account by making it public for deployment, and remove it on script exit.
+#
+# Note: Ensure you "source" this script, or else the EXIT trap won't fire at the right time.
+#
+
+function mgmtstorage_enable_public_access() {
+  local RESOURCE_GROUP
+  RESOURCE_GROUP=$(get_resource_group_name)
+
+  local SA_NAME
+  SA_NAME=$(get_storage_account_name)
+
+  # Check that the storage account exists before making changes
+  if ! does_storage_account_exist "$SA_NAME"; then
+    echo -e "Error: Storage account $SA_NAME does not exist.\n" >&2
+    exit 1
+  fi
+
+  # Pre-check: if public access is already enabled, no need to update.
+  if is_public_access_enabled "$RESOURCE_GROUP" "$SA_NAME"; then
+    echo -e " Storage account $SA_NAME is already publicly accessible\n"
+    return
+  fi
+
+  echo -e "\nEnabling public access on storage account $SA_NAME"
+
+  # Enable public network access with explicit default action allow
+  az storage account update --resource-group "$RESOURCE_GROUP" --name "$SA_NAME" --public-network-access Enabled --default-action Allow --output none
+
+  for ATTEMPT in {1..10}; do
+    if is_public_access_enabled "$RESOURCE_GROUP" "$SA_NAME"; then
+      echo -e " Storage account $SA_NAME is now publicly accessible\n"
+      return
+    fi
+
+    echo " Unable to confirm public access on storage account $SA_NAME after $ATTEMPT/10. Waiting for update to take effect..."
+    sleep 10
+  done
+
+  echo -e "Error: Could not enable public access for $SA_NAME after 10 attempts.\n"
+  exit 1
+}
+
+function mgmtstorage_disable_public_access() {
+  local RESOURCE_GROUP
+  RESOURCE_GROUP=$(get_resource_group_name)
+
+  local SA_NAME
+  SA_NAME=$(get_storage_account_name)
+
+  # Check that the storage account exists before making changes
+  if ! does_storage_account_exist "$SA_NAME"; then
+    echo -e "Error: Storage account $SA_NAME does not exist.\n" >&2
+    exit 1
+  fi
+
+  # Pre-check: if public access is already disabled, no need to update.
+  if ! is_public_access_enabled "$RESOURCE_GROUP" "$SA_NAME"; then
+    echo -e " Storage account $SA_NAME is already not publicly accessible\n"
+    return
+  fi
+
+  echo -e "\nDisabling public access on storage account $SA_NAME"
+
+  # Disable public network access with explicit default action deny
+  az storage account update --resource-group "$RESOURCE_GROUP" --name "$SA_NAME" --public-network-access Disabled --default-action Deny --output none
+
+  for ATTEMPT in {1..10}; do
+    if ! is_public_access_enabled "$RESOURCE_GROUP" "$SA_NAME"; then
+      echo -e " Public access has been disabled successfully\n"
+      return
+    fi
+
+    echo " Unable to confirm public access is disabled on storage account $SA_NAME after $ATTEMPT/10. Waiting for update to take effect..."
+    sleep 10
+  done
+
+  echo -e "Error: Could not disable public access for $SA_NAME after 10 attempts.\n"
+  exit 1
+}
+
+function get_resource_group_name() {
+  if [[ -z "${TF_VAR_mgmt_resource_group_name:-}" ]]; then
+    echo -e "Error: TF_VAR_mgmt_resource_group_name is not set\nExiting...\n" >&2
+    exit 1
+  fi
+  echo "$TF_VAR_mgmt_resource_group_name"
+}
+
+function get_storage_account_name() {
+  if [[ -z "${TF_VAR_mgmt_storage_account_name:-}" ]]; then
+    echo -e "Error: TF_VAR_mgmt_storage_account_name is not set\nExiting...\n" >&2
+    exit 1
+  fi
+  echo "$TF_VAR_mgmt_storage_account_name"
+}
+
+function does_storage_account_exist() {
+  [[ -n "$(az storage account show --name "$1" --query "id" --output tsv)" ]]
+}
+
+function is_public_access_enabled() {
+  local RESOURCE_GROUP="$1"
+  local SA_NAME="$2"
+
+  # Try listing containers
+  local containers
+  if ! containers=$(az storage container list --account-name "$SA_NAME" --auth-mode login --query "[].name" --output tsv); then
+    return 1
+  fi
+
+  # For each container found, check blob listing
+  for container in $containers; do
+    if ! az storage blob list --container-name "$container" --account-name "$SA_NAME" --auth-mode login --output none; then
+      return 1
+    fi
+  done
+
+  # If container list succeeded (even if empty) and blob list (if any) succeeded, public access is enabled
+  return 0
+}
+
+# Setup the trap to disable public access on exit
+trap mgmtstorage_disable_public_access EXIT
+
+# Enable public access for deployment
+mgmtstorage_enable_public_access "$@"
diff --git a/devops/scripts/terraform_wrapper.sh b/devops/scripts/terraform_wrapper.sh
@@ -92,7 +92,7 @@ if [[ -z ${tf_logfile+x} ]]; then
 fi
 
 # shellcheck disable=SC1091
-source "$(dirname "$0")/mgmtstorage_add_network_exception.sh"
+source "$(dirname "$0")/mgmtstorage_enable_public_access.sh"
 
 terraform init -input=false -backend=true -reconfigure \
     -backend-config="resource_group_name=${mgmt_resource_group_name}" \

diff --git a/devops/scripts/upgrade.sh b/devops/scripts/upgrade.sh
@@ -54,7 +54,7 @@ else
 fi
 
 # shellcheck disable=SC1091
-source "$(dirname "$0")/mgmtstorage_add_network_exception.sh"
+source "$(dirname "$0")/mgmtstorage_enable_public_access.sh"
 
 # Run terraform init with upgrade and reconfigure options
 terraform -chdir="$DIR/terraform" init -upgrade -reconfigure -input=false -backend=true \

diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
@@ -26,10 +26,11 @@ if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name"
 else
   echo "Storage account already exists..."
   az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --output table
-  # shellcheck disable=SC1091
-  source ../scripts/mgmtstorage_add_network_exception.sh
 fi
 
+# shellcheck disable=SC1091
+source ../scripts/mgmtstorage_enable_public_access.sh
+
 # Grant user blob data contributor permissions
 echo -e "\n\e[34m»»» 🔑 \e[96mGranting Storage Blob Data Contributor role to the current user\e[0m..."
 if [ -n "${ARM_CLIENT_ID:-}" ]; then
@@ -91,13 +92,4 @@ if ! terraform state show azurerm_storage_account.state_storage > /dev/null; the
 fi
 echo "State imported"
 
-# Update the storage account network to set default action to Deny and bypass AzureServices
-# shellcheck disable=SC2154
-az storage account update \
-  --name "$TF_VAR_mgmt_storage_account_name" \
-  --resource-group "$TF_VAR_mgmt_resource_group_name" \
-  --public-network-access enabled \
-  --default-action Deny \
-  --bypass AzureServices
-
 set +o nounset
diff --git a/devops/terraform/data.tf b/devops/terraform/data.tf
diff --git a/devops/terraform/deploy.sh b/devops/terraform/deploy.sh
@@ -6,7 +6,7 @@ set -o nounset
 # set -o xtrace
 
 # shellcheck disable=SC1091
-source ../scripts/mgmtstorage_add_network_exception.sh
+source ../scripts/mgmtstorage_enable_public_access.sh
 
 PLAN_FILE="devops.tfplan"
 

diff --git a/devops/terraform/destroy.sh b/devops/terraform/destroy.sh
@@ -6,6 +6,6 @@ set -o nounset
 # set -o xtrace
 
 # shellcheck disable=SC1091
-source ../scripts/mgmtstorage_add_network_exception.sh
+source ../scripts/mgmtstorage_enable_public_access.sh
 
-terraform destroy -auto-approve
+terraform destroy -auto-approve
diff --git a/devops/terraform/locals.tf b/devops/terraform/locals.tf
@@ -1,6 +1,4 @@
 locals {
   # The key store for encryption keys could either be external or created by terraform
   key_store_id = var.enable_cmk_encryption ? (var.external_key_store_id != null ? var.external_key_store_id : azurerm_key_vault.encryption_kv[0].id) : null
-
-  myip = var.public_deployment_ip_address != "" ? var.public_deployment_ip_address : chomp(data.http.myip[0].response_body)
 }
diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf
@@ -33,13 +33,6 @@ resource "azurerm_storage_account" "state_storage" {
   allow_nested_items_to_be_public  = false
   shared_access_key_enabled        = false
   local_user_enabled               = false
-  public_network_access_enabled    = true
-
-  network_rules {
-    default_action = "Deny"
-    bypass         = ["AzureServices"]
-    ip_rules       = [local.myip] # Exception for deployment IP. This is removed in mgmtstorage_add_network_exception.sh
-  }
 
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []